Healthcare providers can help one another when it comes to cyberattacks by sharing information during and after an attack, and the National Institute of Standards and Technology (NIST) has created draft guidelines to help organizations handle those relationships.
"By sharing cyber threat information, organizations can gain valuable insights about their adversaries," Christopher Johnson, lead author of the guidelines, said in an announcement. "They can learn the types of systems and information being targeted, the techniques used to gain access and indicators of compromise."
NIST is looking for organizations to comment on the draft document by Nov. 28.
Among the recommendations NIST gives in the guidelines:
- Perform an inventory. Organizations should understand where critical information is kept, who owns it, how to protect it and when it can be shared. Some factors when sharing data that should be considered: Risk of disclosure; the urgency and need for sharing; benefits gained by sharing; sensitivity of information
- Exchange tools and techniques with others. Groups should coordinate and collaborate with one another. Instead of operating in isolation, they should have adaptive, proactive and risk-informed practices.
- Use open and standard data formats. Standard formats and protocols allow for interoperability and a rapid exchange of information. Organizations should use formats that are widely known and easily accessible as well as secure, according to the guidelines.
- Ensure resources are available. Providers must consider the possibility of sharing personnel, training and hardware. "Organizations must have a sustainable approach that provides the resources needed for ongoing participation to achieve sustained benefits from information sharing activities," according to the authors.
In addition to those recommendations, the 72-page guidelines also provide an example of the lifecycle of a cyberattack, information sharing architectures and questions to ask after cyberattack information is shared.
NIST's framework on cybersecurity has come under some criticism, with Healthcare Information and Management Systems Society's Lee Kim saying it would be "more usable and more prescriptive" for healthcare entities if it gave more specific guidance on implementation.